From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Marusich <cmmarusich@gmail.com>
Subject: Re: certbot service experience
Date: Sat, 29 Apr 2017 19:15:49 -0700
Message-ID: <87mvayhc8a.fsf@gmail.com>
References: <87tw56dhlp.fsf@dustycloud.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53438)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1d4eP4-0003ol-2V
	for guix-devel@gnu.org; Sat, 29 Apr 2017 22:16:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1d4eOz-00022A-1m
	for guix-devel@gnu.org; Sat, 29 Apr 2017 22:16:02 -0400
Received: from mail-pf0-x243.google.com ([2607:f8b0:400e:c00::243]:36005)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <cmmarusich@gmail.com>)
	id 1d4eOy-00020M-RT
	for guix-devel@gnu.org; Sat, 29 Apr 2017 22:15:56 -0400
Received: by mail-pf0-x243.google.com with SMTP id v14so23191613pfd.3
	for <guix-devel@gnu.org>; Sat, 29 Apr 2017 19:15:56 -0700 (PDT)
In-Reply-To: <87tw56dhlp.fsf@dustycloud.org> (Christopher Allan Webber's
	message of "Sat, 29 Apr 2017 16:33:22 -0500")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Christopher Allan Webber <cwebber@dustycloud.org>
Cc: Guix-devel <guix-devel@gnu.org>, 26685@debbugs.gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Christopher Allan Webber <cwebber@dustycloud.org> writes:

>  - I was surprised that I was prompted for an email while doing guix
>    system reconfigure

That does seem odd.  Why were you prompted for an email address?  Can
that be fixed somehow?

>   2) Enable the certbot-service-type (and mcron-service-type if you
>      haven't already):
>
>        (service certbot-service-type
>                 (certbot-configuration
>                  ;; Replace these with your own domain and web root
>                  (hosts '("test.activitypub.rocks"))
>                  (webroot "/srv/activitypub.rocks/site/")))
>        ;; if you don't have an mcron service already
>        (service mcron-service-type)

Where is the certbot-service-type defined?  I couldn't find it in the
master branch.  Also, why is mcron required?  I don't know much about
LetsEncrypt, but I thought certbot was a one-time thing that you do
manually...  Why is it a "service" here?

>   3) Okay hopefully that went successfully!  It should say.  Assuming it
>      did, *now* we can add the keys appropriately to the nginx config.
>
>        (service nginx-service-type
>                 (nginx-configuration
>                  (server-blocks
>                   (list
>                    (nginx-server-configuration
>                     ;; Again, adjust to your site
>                     (server-name '("test.activitypub.rocks"))
>                     (root "/srv/activitypub.rocks/site/")
>                     (ssl-certificate
>                      "/etc/letsencrypt/live/test.activitypub.rocks/fullch=
ain.pem")
>                     (ssl-certificate-key
>                      "/etc/letsencrypt/live/test.activitypub.rocks/privke=
y.pem"))))))
>
>      Reconfigure and cross your fingers!
>
>   4) At this point I was surprised that it seemed like nginx should have
>      been working with https since everything was in place, but I
>      couldn't access it from my browser over https.  Frustrated, I
>      restarted the server.
>
>      And then it worked! :)
>
> So, this involved reconfiguring, reconfiguring, reconfiguring, and then
> a restart, then it worked for me.  (Well, plus a few reconfigures where
> nothing worked at all because I broke things of course. ;))  I wonder if
> that can be improved?

I wonder if it is possible to define a custom service which orchestrates
the execution of nginx and certbot in the way you require, so that you
can define it all in one place, at once, without needing to reconfigure
multiple times?

> That said, it's still really exciting to be able to describe these
> things declaratively, and to have Guix take care of keeping things
> renewed for me. :)  Excited to have this landing, and to be that much
> closer to doing server deployment with GuixSD!

Pretty cool!  Thanks for sharing your experience.  It's always neat to
read about how people are using the system.

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkFSNYACgkQ3UCaFdgi
Rp1yfg//WB7x80tP/olsgZ9E3j7eOyz/EV8n/+JxgKCFx8KdUAZU3+xm4+d1Lu4l
wYun6ZGbz5PZ9WEt1LaEWy7S1eCgcf6GoKJQKEIqoWs+wP3Z37rG/7IBnLhYKyn3
Mh3R4bGovDPE9NwJxnuX8h0cQppH62PdOzjTgTcWYlW3ilmraq4eP2Fmcsw9K8IT
uP3SKtfyG1Kaoi7CrGuOMJT8T/OxzbjkGYnZ5rga1cAin+2ZrIVmGCqk3LaANSkH
dDCvAsShllWNyWnwt0jbrTXGMdp/Z/GpUniPtTCrudMnrT/zoWfEhIWu2ukAnBfp
7lyS9gal62B66eV639Rv6UhONWQRhQwBjv+M6hoKCOYOYw67VH3lYRUA/i3TfdYH
6LriAU3BxmCKxo7eGdL/vh5K1y0eMAIB4Z+49P9CuSdds94z7lC4gEJ/rZy5PIX+
4XMGYfeX5VaBAxV8D+d1w4VBllP4dvjuvZBMsFamgAqE26KwKV7ClWq77oqmRuU4
biEumlOoqgiwksWQVpHwN5VzKDsy2vfWU6oHiPczq3Ffou8p0xXWQ8wFSqMhFmCF
HnX5FSAMtM4NZtgAQtBaffUo9SD7hBrmc2uqqYnu4R1wiGxk8zbiFG7bD0UoEk3j
w/kYVTdT7pIej6c/LofM6PTwMdNIM+ZqFT3wBzES9A3aHevLzHI=
=n216
-----END PGP SIGNATURE-----
--=-=-=--